1 |
On 03/03/2010 17:35, Natanael Copa wrote: |
2 |
> On Wed, Mar 3, 2010 at 5:14 PM, Ed W<lists@××××××××××.com> wrote: |
3 |
> |
4 |
> |
5 |
>> I don't have physical access to all machines, so any interesting cheap |
6 |
>> random number generator dongles would be interesting to know about, but will |
7 |
>> not be a full solution in this case. If I'm missing some obvious option |
8 |
>> which is available on recent Intel/AMD hardware which might give me larger |
9 |
>> amounts of entropy then please shout? |
10 |
>> |
11 |
> media-sound/audio-entropyd? |
12 |
> |
13 |
> |
14 |
|
15 |
Thanks for the idea - the server is a rackmount thing rented from a |
16 |
hosting company and I don't think it has any soundcard onboard... |
17 |
|
18 |
I believe that the kernel doesn't use the network interrupt for |
19 |
randomness, only keyboard, mouse and HD. This isn't a great situation |
20 |
for a headless, mouseless webserver which tries as hard as possible not |
21 |
to touch the disk... |
22 |
|
23 |
I ordered an "Entropy Key" from here: http://www.entropykey.co.uk/ |
24 |
|
25 |
This will help for the office server, but it doesn't really sort out my |
26 |
rented racks (no, don't really want some crazy solution involving ssh |
27 |
piping the data to it...) |
28 |
|
29 |
Would be very grateful for any other ideas here. I think the solution is |
30 |
likely to use a lower quality rng source for the SSP protection rather |
31 |
than generating more entropy - I'm not really see that a super high |
32 |
quality rng source is really needed for SSP? Possibly a local attacker |
33 |
can write code which flogs the rng until they figure out the params, |
34 |
then use it as part of an SSP attack, however, its low on my list of |
35 |
fears... |
36 |
|
37 |
I can see that glibc previously used to use erandom, but this patch was |
38 |
dropped - any reason? |
39 |
|
40 |
Cheers |
41 |
|
42 |
Ed W |